[ConsiderCrying]

> Facebook can't read your WhatsApp messages

Are we sure it can't? Because WhatsApp is closed-source, its GDrive backups are unencrypted and Facebook's whole profit model is based around snooping. Unless they make the app open-source, I'm not trusting them even with a grocery list. People act like E2E is the be-all and end-all but trusting an incredibly shady company on its word is not something I'm comfortable with.

[heinrich5991]

Yes, people are reverse engineering the app. You can check the discussions on HackerNews when security of WhatsApp is discussed.

GDrive backups are not readable by Facebook, they're readable by Google. End-to-end, if properly implemented is the be-all and end-all. Except for metadata, which is a problem, but a different one, and Facebook definitely abuses that. But they don't/can't read the contents of chat messages (for now).

It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.

[shawnz]

> It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.

Right.. consider what your adversary would be giving up by revealing such a secret, even if it was true. That alone provides a not-insubstantial amount of security.

[baybal2]

> > Facebook can't read your WhatsApp messages

> Are we sure it can't?

Google can remotely uninstall, and install a trojaned version of any app regardless of app signature on an official Android distribution.

[maqp]

"Are we sure it can't?"

No, there's a 1..2% chance of backdoor.

The real question is, why is Telegram more secure? There's a 100% chance it can read your group messages, because it says so on their documentation that describes the cloud encryption. There is no E2EE at all for groups. There is no E2EE at all for desktop. Together these mean E2EE are completely neutered and useless. I'm a privacy researcher and I don't use them at all. Why would an average joe?

[shawnz]

Open source is not the be-all end-all of security either. Closed source apps can still be audited (with increased difficulty), and open source apps might still be impractical to audit even though they are open source.

[maqp]

Nobody's claimed that. Open source is not panacea for verifiable security, it is however a requirement of it.

[shawnz]

No, it is not necessary _or_ sufficient. That is what I'm saying. You can audit a closed-source app, and there also might be open-source apps which are impractical to audit despite them being open source.

[maqp]

If you have your closed-source app audited, everyone needs to trust the audit company. And I've seen some shit audits in my life that told absolutely nothing about the actual security.

Open source means anyone can audit and verify nothing was done after audit.

Moxie more or less audited WhatsApp's Signal protocol implementation, and people are right to be concerned about whether changes have been made since FB bought the app.

[shawnz]

It can also be reverse engineered by third parties. Whatsapp in particular has been subject to extensive analysis by reverse engineering.